Core network attachment through standalone non-3GPP access networks

ABSTRACT

One apparatus includes a processor that creates a second request on behalf of a remote unit from a first request received from a non-3GPP access network, the second request including a subscriber identity of the remote unit. The processor sends the second request to a mobile core to initiate connection of the remote unit to the mobile core and receives a third request from the mobile core, the first request being part of a first authentication procedure and the third request being part of a NAS authentication procedure different than the first authentication procedure. The processor transforms the third request into a fourth request of the first authentication procedure and uses an authentication response of the first authentication procedure to complete connection of the remote unit to the mobile core.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a continuation application of and claims priority to U.S. patentapplication Ser. No. 16/330,058 entitled “CORE NETWORK ATTACHMENTTHROUGH STANDALONE NON-3GPP ACCESS NETWORKS” and filed on Mar. 1, 2019for Apostolis Salkintzis, which is incorporated herein by reference,which application claims priority to International Patent ApplicationNumber PCT/EP2016/073819 entitled “CORE NETWORK ATTACHMENT THROUGHSTANDALONE NON-3GPP ACCESS NETWORKS” and filed on Oct. 5, 2016 forApostolis Salkintzis, which is also incorporated herein by reference.

FIELD

The subject matter disclosed herein relates generally to wirelesscommunications and more particularly relates to attaching a remote unitto a mobile core network via a standalone non-3GPP access network.

BACKGROUND

The following abbreviations are herewith defined, at least some of whichare referred to within the following description.

3GPP Third Generation Partnership Project

4G Fourth Generation

5G Fifth Generation

AAA Authentication Authorization and Accounting

ANDSF Access Network Discovery and Selection Function

AP Access Point

CP Control Plane

DL Downlink

DTLS Datagram Transport Level Security

EAP Extensible Authentication Protocol

EAP-AKA Extensible Authentication Protocol for 3rd GenerationAuthentication and Key Agreement

EAP-AKA′ Improved Extensible Authentication Protocol for 3rd GenerationAuthentication and Key Agreement

EAPoL Extensible Authentication Protocol over LAN

eNB Evolved Node B

EPC Evolved Packet Core

ePDG Enhanced Packet Data Gateway

ESSID Extended Service Set Identification

E-UTRAN Evolved Universal Terrestrial Radio Access

HSS Home Subscriber Server

IKEv2 Internet Key Exchange version 2

LAN Local Area Network

LTE Long Term Evolution

MME Mobility Management Entity

NSWO Non-Seamless WLAN Offload

OFDM Orthogonal Frequency Division Multiplexing

PCRF Policy and Charging Rules Function

PDN Packet Data Network

PGW Packet Data Network Gateway

PLMN Public Land Mobile Network

RAN Radio Access Network

SC-FDMA Single Carrier Frequency Division Multiple Access

SGW Serving Gateway

TWAG Trusted Wireless Access Gateway

UE User Entity/Equipment (Mobile Terminal)

UL Uplink

UP User Plane

WiMAX Worldwide Interoperability for Microwave Access

WLAN Wireless Local Area Network

Currently, mobile communication networks following the Long TermEvolution (“LTE”) architecture support several different interfacesbetween an Access Network (“AN”) and the Evolved Packet Core (“EPC”)with different types of access networks use different types ofinterfaces. For example, the S1 interface is used only between anEvolved Universal Terrestrial Radio Access (“E-UTRAN”) and EPC. Asanother example, wireless local area network (“WLAN”) access to the EPCinvolves several other interfaces: the S2a and STa interfaces for accessvia trusted WLANs, the SWu and S2b interfaces for access via untrustedWLANs, and the S2c interface for access via either trusted or untrustedWLANs. In addition, new network elements have been specified for WLANinterworking, including the Authentication, Authorization, andAccounting (“AAA”) server, the Evolved Packet Data Gateway (“ePDG”), theTrusted Wireless Access Gateway (“TWAG”), etc. All these differentinterfaces and network elements for connecting different accesses to EPChave resulted to a complex and difficult to manage architecture.

At times, a WLAN access network is integrated into the E-UTRAN in a waythat requires neither new network elements in EPC nor new AN-EPCinterfaces, for example using LTE-WLAN Aggregation (“LWA”). However,such kind of WLAN integration has limited deployment scenarios: the WLANaccess must always be within the LTE coverage (otherwise DualConnectivity is not feasible) and, more importantly, the WLAN accessneeds to be a ‘special’ WLAN that supports an interface with the eNB andseveral other enhancements. Such WLAN access is not a “standalone” WLAN.To support however interworking with standalone WLAN accesses (whichaccount for the majority of deployment scenarios) additional,WLAN-specific network elements and interfaces are required, thusincreasing the complexity of the system.

BRIEF SUMMARY

Disclosed are procedures for connecting a remote unit to a mobile corenetwork via a non-3GPP access network. Said procedures may beimplemented by apparatus, systems, methods, or computer programproducts.

One method of an interworking function for connecting a remote unit to amobile core network via a non-3GPP access network includes receiving, atthe interworking entity, a first authentication request from an accesspoint in a non-3GPP access network, the first authentication requestbeing part of a first authentication procedure and containing asubscriber identity of the remote unit. The method includes creating, bythe interworking entity, a request on behalf of the remote unit, whereinthe created request is not present in the first authentication requestand wherein the created request includes the subscriber identity. Themethod includes sending, by the interworking entity, the created requestto a mobile core network to initiate connection of the remote unit tothe mobile core network. The method includes receiving, at aninterworking entity, a second authentication request from the mobilecore network, wherein the second authentication request is part of a NASauthentication procedure different than the first authenticationprocedure. The method includes transforming, by the interworking entity,the second authentication request into a third authentication request ofthe first authentication procedure. The method includes using, by theinterworking entity, an authentication response of the firstauthentication procedure to complete connection to the mobile corenetwork

BRIEF DESCRIPTION OF THE DRAWINGS

A more particular description of the embodiments briefly described abovewill be rendered by reference to specific embodiments that areillustrated in the appended drawings. Understanding that these drawingsdepict only some embodiments and are not therefore to be considered tobe limiting of scope, the embodiments will be described and explainedwith additional specificity and detail through the use of theaccompanying drawings, in which:

FIG. 1 is a block diagram illustrating one embodiment of a wirelesscommunication system for connecting a remote unit to a mobile corenetwork via a non-3GPP access network using an interworking entity;

FIG. 2 illustrates one embodiment of a network architecture forconnecting a remote unit to a mobile core network via a non-3GPP accessnetwork using an interworking entity;

FIG. 3 illustrates one embodiment of a network architecture where anaccess network interworking entity is connected to multiple networkslices;

FIG. 4 is a block diagram illustrating one embodiment of a computingdevice for connecting a remote unit to a mobile core network via anon-3GPP access network using an interworking entity;

FIG. 5 is a flow chart diagram illustrating another embodiment of amethod for connecting a remote unit to a mobile core network via anon-3GPP access network using an interworking entity;

FIG. 6 illustrates one embodiment of a protocol architecture forconnecting to a mobile core network via a trusted WLAN access network;

FIG. 7 illustrates one embodiment of a protocol architecture forexchanging NAS signaling with control plane functions via a trusted WLANaccess network;

FIG. 8 illustrates one embodiment of a protocol architecture forconnecting to a mobile core network via an untrusted WLAN accessnetwork;

FIG. 9 illustrates one embodiment of a protocol architecture forexchanging NAS signaling with control plane functions via an untrustedWLAN access network;

FIG. 10A illustrates one embodiment of a signaling procedure forconnecting to a mobile core network via a trusted WLAN access network;

FIG. 10B continues the signaling procedure of FIG. 10A;

FIG. 11A illustrates one embodiment of a signaling procedure forconnecting to a mobile core network via an untrusted WLAN accessnetwork;

FIG. 11B continues the signaling procedure of FIG. 11A; and

FIG. 12 is a flow chart diagram illustrating another embodiment of amethod for connecting a remote unit to a mobile core network via anon-3GPP access network using an interworking entity.

DETAILED DESCRIPTION

As will be appreciated by one skilled in the art, aspects of theembodiments may be embodied as a system, apparatus, method, or programproduct. Accordingly, embodiments may take the form of an entirelyhardware embodiment, an entirely software embodiment (includingfirmware, resident software, micro-code, etc.) or an embodimentcombining software and hardware aspects.

For example, the disclosed embodiments may be implemented as a hardwarecircuit comprising custom very-large-scale integration (“VLSI”) circuitsor gate arrays, off-the-shelf semiconductors such as logic chips,transistors, or other discrete components. The disclosed embodiments mayalso be implemented in programmable hardware devices such as fieldprogrammable gate arrays, programmable array logic, programmable logicdevices, or the like. As another example, the disclosed embodiments mayinclude one or more physical or logical blocks of executable code whichmay, for instance, be organized as an object, procedure, or function.

Furthermore, embodiments may take the form of a program product embodiedin one or more computer readable storage devices storing machinereadable code, computer readable code, and/or program code, referredhereafter as code. The storage devices may be tangible, non-transitory,and/or non-transmission. The storage devices may not embody signals. Ina certain embodiment, the storage devices only employ signals foraccessing code.

Any combination of one or more computer readable medium may be utilized.The computer readable medium may be a computer readable storage medium.The computer readable storage medium may be a storage device storing thecode. The storage device may be, for example, but not limited to, anelectronic, magnetic, optical, electromagnetic, infrared, holographic,micromechanical, or semiconductor system, apparatus, or device, or anysuitable combination of the foregoing.

More specific examples (a non-exhaustive list) of the storage devicewould include the following: an electrical connection having one or morewires, a portable computer diskette, a hard disk, a random access memory(“RAM”), a read-only memory (“ROM”), an erasable programmable read-onlymemory (“EPROM” or Flash memory), a portable compact disc read-onlymemory (“CD-ROM”), an optical storage device, a magnetic storage device,or any suitable combination of the foregoing. In the context of thisdocument, a computer readable storage medium may be any tangible mediumthat can contain, or store a program for use by or in connection with aninstruction execution system, apparatus, or device.

Reference throughout this specification to “one embodiment,” “anembodiment,” or similar language means that a particular feature,structure, or characteristic described in connection with the embodimentis included in at least one embodiment. Thus, appearances of the phrases“in one embodiment,” “in an embodiment,” and similar language throughoutthis specification may, but do not necessarily, all refer to the sameembodiment, but mean “one or more but not all embodiments” unlessexpressly specified otherwise. The terms “including,” “comprising,”“having,” and variations thereof mean “including but not limited to,”unless expressly specified otherwise. An enumerated listing of itemsdoes not imply that any or all of the items are mutually exclusive,unless expressly specified otherwise. The terms “a,” “an,” and “the”also refer to “one or more” unless expressly specified otherwise.

Furthermore, the described features, structures, or characteristics ofthe embodiments may be combined in any suitable manner. In the followingdescription, numerous specific details are provided, such as examples ofprogramming, software modules, user selections, network transactions,database queries, database structures, hardware modules, hardwarecircuits, hardware chips, etc., to provide a thorough understanding ofembodiments. One skilled in the relevant art will recognize, however,that embodiments may be practiced without one or more of the specificdetails, or with other methods, components, materials, and so forth. Inother instances, well-known structures, materials, or operations are notshown or described in detail to avoid obscuring aspects of anembodiment.

Aspects of the embodiments are described below with reference toschematic flowchart diagrams and/or schematic block diagrams of methods,apparatuses, systems, and program products according to embodiments. Itwill be understood that each block of the schematic flowchart diagramsand/or schematic block diagrams, and combinations of blocks in theschematic flowchart diagrams and/or schematic block diagrams, can beimplemented by code. This code may be provided to a processor of ageneral purpose computer, special purpose computer, or otherprogrammable data processing apparatus to produce a machine, such thatthe instructions, which execute via the processor of the computer orother programmable data processing apparatus, create means forimplementing the functions/acts specified in the schematic flowchartdiagrams and/or schematic block diagrams.

The code may also be stored in a storage device that can direct acomputer, other programmable data processing apparatus, or other devicesto function in a particular manner, such that the instructions stored inthe storage device produce an article of manufacture includinginstructions which implement the function/act specified in the schematicflowchart diagrams and/or schematic block diagrams.

The code may also be loaded onto a computer, other programmable dataprocessing apparatus, or other devices to cause a series of operationalsteps to be performed on the computer, other programmable apparatus orother devices to produce a computer implemented process such that thecode which execute on the computer or other programmable apparatusprovide processes for implementing the functions/acts specified in theschematic flowchart diagrams and/or schematic block diagram.

The schematic flowchart diagrams and/or schematic block diagrams in theFigures illustrate the architecture, functionality, and operation ofpossible implementations of apparatuses, systems, methods, and programproducts according to various embodiments. In this regard, each block inthe schematic flowchart diagrams and/or schematic block diagrams mayrepresent a module, segment, or portion of code, which includes one ormore executable instructions of the code for implementing the specifiedlogical function(s).

It should also be noted that, in some alternative implementations, thefunctions noted in the block may occur out of the order noted in theFigures. For example, two blocks shown in succession may, in fact, beexecuted substantially concurrently, or the blocks may sometimes beexecuted in the reverse order, depending upon the functionalityinvolved. Other steps and methods may be conceived that are equivalentin function, logic, or effect to one or more blocks, or portionsthereof, of the illustrated Figures.

The description of elements in each figure may refer to elements ofproceeding figures. Like numbers refer to like elements in all figures,including alternate embodiments of like elements.

In order to solve the above described problem of integrating non-3GPPaccess (e.g., non-E-UTRAN access) into next generation mobilecommunication networks (e.g., 5G networks), future wireless standardsare expected to simplify the architecture and to specify a common AN-CNinterface that can be used for all types of accesses including 5G RAN,WLAN, fixed broadband, satellite access, and the like. Here, all typesof access network (both 3GPP and non-3GPP) communicate with the corenetwork using the very same interfaces: a common control plane interface(referred to herein as the “NG2” interface) and a common user planeinterface (referred to herein as the “NG3” interface).

To provide interworking between the non-3GPP access networks (“N3AN”),the present disclosure describes a new network element referred to as anon-3GPP interworking function (“N3IWF”). The N3IWF contains bothhardware and software elements for protocol conversion and signaladaptation between the N3AN and the CN. Additionally, the N3IWF executesa 3GPP attach procedure with the CN on behalf of a UE when the UEconnects to a N3AN and carries out an authentication procedure. Forexample, when a UE associates with a trusted WLAN and begins an EAP-AKA′authentication procedure, the N3IWF initiates a 5G attach procedure withthe CN on behalf of the UE (e.g., the N3IWF acts as a proxy for the UE)while the UE continues the EAP-AKA′ authentication procedure.

The N3IWF includes a functional component referred to as an AttachProxy, which performs interworking between the authentication signalingand the 3GPP attach signaling. In doing so, the Attach Proxy acts as aUE proxy and initiates the 3GPP attach procedure on behalf of the UE.The Attach Proxy takes parameters received from the UE in anauthentication procedure message and generates an attach proceduremessage for the CN using the received parameters. Similarly, the AttachProxy takes parameters received from the CN in an attach proceduremessage and generates an authentication procedure message for the UEusing the parsed parameters.

Beneficially, using the described apparatus, methods, signalingprocedures, network architectures, protocol architectures, etc. does notrequire new authentication procedures for the N3AN. Additionally, legacyUEs may be authenticated and authorized by the 5G CN when they attach toa trusted WLAN (e.g., using EAP-AKA′ authentication). In this way,legacy UEs may connect to a trusted WLAN and start Non-Seamless WLANoffload (“NSWO”) traffic (i.e. traffic that traverses only the WLAN, notthe 5G core network) without requiring new UE capabilities. Similarly,legacy UEs may be authenticated and authorized by the 5G CN when theyestablish an IKEv2/IPsec connection to the N3IWF, which is perceived asan ePDG.

As discussed in more detail below, the N3IWF supports network sliceselection over non-3GPP access, i.e. enables the UE to send ‘assistanceinformation’ during WLAN authentication which is used by the network toselect an appropriate network slice for the UE (e.g. to select an IoTslice).

FIG. 1 a wireless communication system 100 for connecting a remote unitto a mobile core network via a non-3GPP access network using aninterworking entity, according to embodiments of the disclosure. In oneembodiment, the wireless communication system 100 includes remote units105, at least one WLAN AN 110 (each WLAN AN 110 comprising one or moreWLAN access points (“APs”) 111), WLAN communication links 115, a mobileradio access network (“RAN”) 120 (comprising one or more cellular baseunits 121), and cellular communication links 125. Even though a specificnumber of remote units 105, WLAN ANs 110, WLAN APs 111, WLANcommunication links 115, mobile radio access networks 120, cellular baseunits 121, and cellular communication links 125 are depicted in FIG. 1,one of skill in the art will recognize that any number of remote units105, WLAN ANs 110, WLAN APs 111, WLAN communication links 115, mobileradio access networks 120, cellular base units 121, and cellularcommunication links 125 may be included in the wireless communicationsystem 100.

In one implementation, the wireless communication system 100 iscompliant with a fifth generation (“5G,” also referred to as “NextGen”)of the 3GPP protocol, wherein the cellular base units 121 transmit usingan orthogonal frequency division multiplexing (“OFDM”) modulation schemeon the DL and the remote units 105 transmit on the UL using asingle-carrier frequency division multiple access (“SC-FDMA”) scheme.More generally, however, the wireless communication system 100 mayimplement some other open or proprietary communication protocol, forexample, WiMAX, among other protocols. The present disclosure is notintended to be limited to the implementation of any particular wirelesscommunication system architecture or protocol.

In one embodiment, the remote units 105 may include computing devices,such as desktop computers, laptop computers, personal digital assistants(“PDAs”), tablet computers, smart phones, smart televisions (e.g.,televisions connected to the Internet), smart appliances (e.g.,appliances connected to the Internet), set-top boxes, game consoles,security systems (including security cameras), vehicle on-boardcomputers, network devices (e.g., routers, switches, modems), or thelike. In some embodiments, the remote units 105 include wearabledevices, such as smart watches, fitness bands, optical head-mounteddisplays, or the like. Moreover, the remote units 105 may be referred toas subscriber units, mobiles, mobile stations, users, terminals, mobileterminals, fixed terminals, subscriber stations, UE, user terminals, adevice, or by other terminology used in the art. The remote units 105may communicate directly with one or more of the WLAN APs 111 via uplink(“UL”) and downlink (“DL”) communication signals. Furthermore, the ULand DL communication signals may be carried over the WLAN communicationlinks 115. Similarly, the remote units 105 may communicate with one ormore cellular base units 121 in the mobile radio access network 120 viaUL and DL communication signals carried over the cellular communicationlinks 125.

The WLAN ANs 110 may be distributed over a geographic region. Asdepicted in FIG. 1, a WLAN AN 110 connects to a mobile core network 130via an interworking entity 135. In certain embodiments, a WLAN AN 110may be controlled by an operator of the mobile core network 130 and mayhave direct access to the mobile core network 130. Such a WLANdeployment is referred to as a “trusted WLAN.” A WLAN AN 110 isconsidered as “trusted” when it is operated by the 3GPP operator andsupports certain security features, such as 3GPP-based authenticationand strong air-interface encryption. In some embodiments, theinterworking entity 135 may be contained within (e.g., co-sited with) atrusted WLAN. In one embodiment, the interworking entity may be acomponent of a WLAN AP 111 in the trusted WLAN AN 110.

In other embodiments, a WLAN AN 110 is not controlled by the operator ofthe mobile core network 130 and thus does not have direct access to themobile core network 130. Such WLAN deployments are referred to as“untrusted” WLANs. Public hotspots deployed in malls, coffee shops, andother public areas are considered as untrusted. Here, the untrusted WLANANs 110 rely on a data network, such as the Internet, to connect to themobile core network 130. The mobile core network 130 may provideservices to a remote unit 105 via the WLAN AN 110, as described ingreater detail herein.

Each WLAN AP 111 may serve a number of remote units 105 with a servingarea. Typically, a serving area of the WLAN AP 111 is smaller than theserving area of a cellular base unit 121. The WLAN APs 111 maycommunicate directly with one or more remote units 105 by receiving ULcommunication signals and transmitting DL communication signals to servethe remote units 105 in the time, frequency, and/or spatial domain. BothDL and UL communication signals are carried over the WLAN communicationlinks 115. A WLAN AP 111 may communicate using unlicensed radiospectrum.

The cellular base units 121 in the mobile radio access network 120 maybe distributed over a geographic region. In certain embodiments, acellular base unit 121 may also be referred to as an access terminal, abase, a base station, a Node-B, an eNB, a Home Node-B, a relay node, adevice, or by any other terminology used in the art. The cellular baseunits 121 are part of a mobile radio access network (“RAN”) 120 that mayinclude one or more controllers communicably coupled to one or morecorresponding cellular base units 121. These and other elements of radioaccess network are not illustrated but are well known generally by thosehaving ordinary skill in the art.

The mobile radio access network 120 may serve a number of remote units105 within a serving area, for example, a cell or a cell sector via awireless communication link. The mobile radio access network 120 maycommunicate directly with one or more of the remote units 105 viacommunication signals. Generally, the mobile radio access network 120transmit downlink (“DL”) communication signals to serve the remote units105 in the time, frequency, and/or spatial domain. Furthermore, the DLcommunication signals may be carried over the cellular communicationlinks 125. The cellular communication links 125 may be any suitablecarrier in licensed or unlicensed radio spectrum. The cellularcommunication links 125 may communicate with one or more of the remoteunits 105 and/or one or more of the cellular base units in the mobileradio access network 120.

In one embodiment, the mobile core network 130 is a 5G packet core whichmay be coupled to other networks, like the Internet and private datanetworks, among other data networks. Additionally, the mobile corenetwork 130 may be coupled to other types of access networks, such asfixed broadband access networks, satellite access, and the like. Thepresent disclosure is not intended to be limited to the implementationof any particular wireless communication system architecture orprotocol. Thus, the mobile radio access network 120 may be coupled toany suitable next generation (e.g., 5G) packet core network.

Each mobile core network 130 belongs to a single public land mobilenetwork (“PLMN”). The mobile core network 130 includes at least onecontrol plane (“CP”) function, depicted here as CP functions 140. Whilethe mobile core network 130 may include a plurality of CP functions 140,the disclosed procedures may only require the involvement of one CPfunction (e.g., network entity) from the plurality of CP functions 140.As depicted, the mobile core network 130 also includes at least one userplane (“UP”) function, depicted here as UP functions 145, and a homesubscriber server (“HSS”) 150. Although depicted as outside the mobilecore network 130, in some embodiments the interworking entity 135 may belocated within the mobile core network 130. For example, an instance ofthe interworking entity 135 located within the mobile core network 130may provide interworking functions to an untrusted WLAN AN 110.

The CP functions 140 include network control functions that governaccess to services of the mobile core network 130. Examples of CPfunctions 140 include, but are not limited to, the mobility managementfunction, the policy function, the session management function, and theauthentication function. The UP functions 145 enable delivery of dataand other services to subscriber (e.g., a remote unit 105). The HSS 150is a central database that contains user-related andsubscription-related information. Although a specific number of CPfunctions 140, UP functions 145, and HSS 150 are depicted in FIG. 1, oneof skill in the art will recognize that any number of CP functions 140,UP functions 145, and HSS 150 may be included in the mobile core network130. Further, the wireless communication system 100 may include anynumber of mobile core networks 130.

In next-generation (“5G”) 3GPP mobile core networks 130, both the mobileRAN 120 and the WLAN AN 110 communicate with the core network using acommon control plane interface (e.g., the “NG2” interface) and a commonuser (data) plane interface (e.g., the “NG3” interface). Theinterworking entity 135 provides interworking between a (standalone)WLAN AN 110 and the mobile core network 130, converting non-3GPP accessnetwork protocols to messages sent over the NG2 and NG3 interfaces.

Further, to expedite a remote unit 105 receiving services from themobile core network 130, the interworking entity 135 sends a 3GPP attachrequest to the mobile corner of 130 on behalf of the remote unit 105when the remote unit 105 connects to a WLAN AN 110 and carries out anauthentication procedure with the interworking entity 135. Here, theinterworking entity 135 may perform AAA functions for the WLAN AN 110 inMay for their convert 3GPP authentication messages used by the mobilecore network 130 into authentication messages used by the WLAN AN 110.

FIG. 2 depicts a network architecture 200 used for connecting a remoteunit to a mobile core network via a non-3GPP access network using aninterworking entity, according to embodiments of the disclosure. Thenetwork architecture 200 includes a UE 205, a trusted non-3GPP accessnetwork 210, an untrusted non-3GPP access network 215, a non-3GPP accessnetwork 220 containing a non-3GPP interworking function (“N3IWF”) 225,and a mobile core network 130. The UE 205 may be one embodiment of theremote unit 105 discussed above with reference to FIG. 1. The mobilecore network 130 may be substantially described above with reference toFIG. 1 and includes CP functions 140, UP functions 145, and a HSS 150,also as described above.

The trusted non-3GPP access network 210 is an access network by whichthe UE 205 can access the mobile core network 130. The trusted non-3GPPaccess network 210 may be a wireless access network (such as a WLAN), afixed broadband access network, a satellite access network, and thelike. However, the trusted non-3GPP access network 210 differs from(e.g., does not include) the mobile RAN 120 containing the cellular baseunit 121, discussed above with reference to FIG. 1. Further, the trustednon-3GPP access network 210 is a standalone access network, meaning itis not a part of a 3GPP RAN (e.g., the mobile RAN 120). A trusted WLANAN 110 is one embodiment of the trusted non-3GPP access network 210.

In certain embodiments, the trusted non-3GPP access network 210 includesan AAA proxy 230. The trusted non-3GPP access network 210 includes theAAA proxy 230 where the N3IWF is deployed outside the trusted non-3GPPaccess network 210. The AAA proxy access intermediary to AAA trafficbetween the UE 205 and the N3IWF 225. Here, the N3IWF 225 acts as an AAAserver towards the UE 205 and communicates with the AAA proxy 230 usingthe STa interface. However, in embodiments where the N3IWF is deployedwithin the trusted non-3GPP access network, the AAA proxy 230 is notneeded and may be omitted.

The untrusted non-3GPP access network 215 is another access network bywhich the UE 205 can access the mobile core network 130. The untrustednon-3GPP access network 215 may be a wireless access network (such as aWLAN), a fixed broadband access network, a satellite access network, andthe like. Like the trusted non-3GPP access network 210, the untrustednon-3GPP access network 215 is outside of, and does not include, the3GPP mobile RAN 120 containing the cellular base unit 121, discussedabove with reference to FIG. 1. Further, the untrusted non-3GPP accessnetwork 215 is a standalone access network. As used herein, a WLANdeployment that is not a part of the RAN is referred to as a“standalone” WLAN. An untrusted WLAN AN 110 is one embodiment of theuntrusted non-3GPP access network 215.

As depicted, the UE 205 communicates with the trusted non-3GPP accessnetwork 210 using a NWt interface and a Y1 interface. Through the NWtinterface, the UE 205 accesses the N3IWF 225 and, where present, the AAAproxy 230. Similarly, the UE 205 communicates with the untrustednon-3GPP access network 215 using a NWu interface and the Y1 interface.Through the NWu interface, the UE 205 accesses the N3IWF 225. Note thatthe untrusted non-3GPP access network 215 does not include an AAA proxy230. Thus, the NWu interface does not allow the UE 205 access to an AAAproxy 230. Upon connecting to the mobile core network 130, the UE 205communicates with the CP functions 140 through the NG1 interface.

Also as depicted, the N3IWF 225 communicates with the mobile corenetwork 130 via the NG2 interface and the NG3 interface. As discussedabove, the NG2 interface is a control plane interface by which the N3IWF225 communicates with the CP functions 140. Similarly, the NG3 interfaceis a user plane interface by which the N3IWF 225 communicates with theUP functions 145. For completeness, the NG6 interface is shown by whichthe UP functions 145 communicate with data networks outside the mobilecore network 130.

The network architecture 200 includes the N3IWF 225, which may be oneembodiment of the interworking entity 135 discussed above with referenceto FIG. 1. The N3IWF performs the first authentication procedure withthe UE 205 while simultaneously attaching the UE 205 to the mobile corenetwork 130, e.g., by using a 3GPP attachment procedure. In someembodiments, the N3IWF 225 communicates with a single control planefunction of the CP functions 140 when attaching the UE 205. In otherembodiments, the N3IWF 225 communicates with a plurality of functions ofthe CP functions 140 when attaching the UE 205. The N3IWF 225 performsinterworking between the first authentication procedure and the 3GPPattachment procedure, as discussed in greater detail with reference toFIGS. 10A-B and 11A-B.

In some embodiments, the N3IWF 225 may be deployed within the trustednon-3GPP access network 210. In other embodiments, the N3IWF 225 may bedeployed within the mobile core network 130. Still further, in someembodiments the network architecture 200 may include multiple instancesof the N3IWF 225. For example, the trusted non-3GPP access network 210may include one instance of the N3IWF 225 while the mobile core network130 may include a second instance of the N3IWF 225.

FIG. 3 depicts a network architecture 300 used for connecting a remoteunit to a mobile core network via a non-3GPP access network using aninterworking entity, according to embodiments of the disclosure. Thenetwork architecture 300 includes a UE 205, the trusted non-3GPP accessnetwork 210, and the non-3GPP access network 220 including the N3IWF225. The trusted non-3GPP access network 210, the non-3GPP accessnetwork 220, and the N3IWF 225 may be substantially described above withreference to FIG. 2. In the network architecture 300, the N3IWF 225 isconnected to multiple network slices, here a first core network slice235, and a second core network slice 240. The first core network slice235 and the second core network slice 240 may be part of the mobile corenetwork 130 discussed above with reference to FIGS. 1 and 2. Here, eachcore network slice 235-240 is depicted as having its own CP functions140, UP functions 145, and HSS 150. Each core network slice 235-240 maybe optimized for certain traffic type. For example, the first corenetwork slice 235 may be optimized for mobile broadband traffic whilethe second core network slice 240 may be optimized for Internet ofThings (“IoT”) traffic and machine type communications (“MTC”).

As shown in FIG. 3, the N3IWF 225 may perform network slice selectionbased on information provided by the UE 205. For example, when the UE205 provides its subscriber identity to the N3IWF 225 (e.g., during thefirst authentication procedure), the UE 205 may additionally provideslice selection “assistance information.” Using the slice selectioninformation, the N3IWF 225 may select an appropriate network slice,e.g., from among the network slices 235-240. In one embodiment, the UE205 provides a special identity decorated with (e.g., containing) theslice selection information, wherein the N3IWF 225 selects a networkslice (e.g., initiates a proxy attachment with a particular work slice)based on the slice selection information. This decorated identity maycomprise the subscriber identity and a slice selection informationcombined into a single value. In certain embodiments, the sliceselection information may be a character string appended to thesubscriber identity with a special character used to separate thesubscriber identity from the slice selection information.

Although not depicted as containing such, in some embodiments thenetwork architecture 300 includes an untrusted non-3GPP access network,such as the untrusted non-3GPP access network 215. In such embodiments,the untrusted non-3GPP access network is connected to the N3IWF 225.Again, the UE 205 may provide slice selection information to the N3IWF225, wherein the N3IWF 225 selects an appropriate network slice based onthe provided slice selection information. When the mobile core network130 is comprised of one network slice only and the slice selectioninformation does not match this network slice, the N3IWF 225 may rejectthe UE 205. Similarly, the N3IWF 225 may reject the UE 205 if it sendsslice selection information that does not match any deployed networkslice in the mobile core network 130.

FIG. 4 depicts one embodiment of an apparatus 400 that may be used forconnecting a remote unit to a mobile core network via a non-3GPP accessnetwork, according to embodiments of the disclosure. The apparatus 400includes one embodiment of the interworking entity 135. Furthermore, theremote unit 105 may include a processor 405, a memory 410, an inputdevice 415, a display 420, an access network (“AN”) interface 425, and acore network (“CN”) interface 430. In some embodiments, the input device415 and the display 420 are combined into a single device, such as atouchscreen. In certain embodiments, the remote unit 105 may not includeany input device 415 and/or display 420.

The processor 405, in one embodiment, may include any known controllercapable of executing computer-readable instructions and/or capable ofperforming logical operations. For example, the processor 405 may be amicrocontroller, a microprocessor, a central processing unit (“CPU”), agraphics processing unit (“GPU”), an auxiliary processing unit, a fieldprogrammable gate array (“FPGA”), or similar programmable controller. Insome embodiments, the processor 405 executes instructions stored in thememory 410 to perform the methods and routines described herein. Theprocessor 405 is communicatively coupled to the memory 410, the inputdevice 415, the display 420, the AN interface 425, and the CN interface430.

In certain embodiments, the processor 405 initiates the firstauthentication procedure with the remote unit 105 over a non-3GPP accessnetwork. For example, the processor 405 may utilize the AN interface 425to initiate the first authentication procedure. In some embodiments, thenon-3GPP access network is a trusted WLAN access network and theprocessor 405 initiates an EAP-AKA′ procedure, as discussed below withreference to FIGS. 10A-B. In some embodiments, the non-3GPP accessnetwork is an untrusted WLAN access network in the processor 405initiates an EAP-AKA′ procedure encapsulated into IKEv2 signaling, asdiscussed below with reference to FIGS. 11A-B.

Additionally, the processor 405 sends a 3GPP attach request to themobile core network 130 on behalf of the remote unit 105. For example,the processor 405 may utilize the CN interface 430 to send the 3GPPattach request. Here, the apparatus 400 acts as a proxy of the remoteunit 105 for 3GPP attachment with the mobile core network 130.

The processor 405 receives an attachment authentication request from themobile core network 130 (e.g., an authentication request of the 3GPPattachment procedure). For example, the processor 405 may receive theattachment authentication request over the CN interface 430. Theprocessor 405 then transforms the attachment authentication request intoan authentication request of the first authentication procedure. Indoing so, processor 405 performs interworking between the 3GPPattachment procedure and the first authentication procedure (e.g.,utilized by the non-3GPP access network). Where the first authenticationprocedure is an EAP-AKA′ procedure, the processor 405 may generate anEAP-AKA′ challenge message using parameters from the 3GPP attachmentauthentication request.

The processor 405 sends the authentication request of the firstauthentication procedure over the AN interface 425 and receives anauthentication response according to the first authentication procedure(also over the AN interface 425). The processor 405 then uses theauthentication response of the first authentication procedure tocomplete attachment to the mobile core network 130. Where the firstauthentication procedures a EAP-AKA′ procedure, the processor 405 usesparameters from a EAP-AKA′ challenge response to complete proxyattachment of the remote unit 105 to the mobile core network 130. Forexample, the processor 405 may generate a 3GPP attachment authenticationresponse from a EAP-AKA′ challenge response. In one embodiment, theprocessor 405 further receives an attach accept message from the mobilecore network 130 in response to the attachment authentication response.At the same time, the processor 405 may receive security keys forprotecting the user traffic over the non-3GPP access network. In anotherembodiment, the processor 405 further sends a EAP-AKA′ notification tothe remote unit, the EAP-AKA′ notification including a network addressof the apparatus 400.

In some embodiments, the processor 405 initiates the firstauthentication procedure by requesting a subscriber identity of theremote unit 105. In certain embodiments, the processor 405 may receive(over the AN interface 425) a subscriber identity response comprisingthe subscriber identity and slice selection information, wherein theprocessor 405 sends the 3GPP attach request to a particular networkslice (e.g., first and second core network slices 235-240) in the mobilecore network 130 based on the slice selection information. When themobile core network 130 is comprised of one network slice only and theslice selection information does not match this network slice, theprocessor 405 may reject the remote unit 105. Similarly, the processor405 may reject the remote unit 105 if it sends slice selectioninformation that does not match any deployed network slice in the mobilecore network 130.

In one embodiment, the subscriber identity response contains a decoratedidentity combining the subscriber identity and the slice selectioninformation into a single string. In certain embodiments, the processor405 includes the subscriber identity into the 3GPP attach request. Theprocessor 405 may further indicate, using an information element in the3GPP attach request, that the remote unit 105 is attaching over anon-3GPP access network. Optionally, the processor 405 may include anidentity of the non-3GPP access network in the 3GPP attach request.

In further embodiments, the processor 405 further creates a security keyin response to completing attachment to the mobile core network 130 onbehalf of the remote unit 105. In certain embodiments, the processor 405uses the security key to establish a secure connection with the remoteunit 105 in response to completing proxy attachment to the mobile corenetwork 130. In one embodiment, the secure connection is a DTLSconnection and the security key is a pre-shared key used to establishthe DTLS connection. Thereafter, the processor 405 may relay NASmessages between the remote unit 105 and the mobile core network 130 inresponse to establishing the secure connection.

In some embodiments, the processor 405 further generates a remote unitcontext in response to completing attachment to the mobile core network.The processor 405 may store the remote unit context in the memory 410.As used herein, the remote unit context includes identifying context ofthe remote unit 105, such as a network address of the remote unit 105, asubscriber identity of the remote unit 105, and one or more EAP-AKA′identities of the remote unit.

The memory 410, in one embodiment, is a computer readable storagemedium. In some embodiments, the memory 410 includes volatile computerstorage media. For example, the memory 410 may include a RAM, includingdynamic RAM (“DRAM”), synchronous dynamic RAM (“SDRAM”), and/or staticRAM (“SRAM”). In some embodiments, the memory 410 includes non-volatilecomputer storage media. For example, the memory 410 may include a harddisk drive, a flash memory, or any other suitable non-volatile computerstorage device. In some embodiments, the memory 410 includes bothvolatile and non-volatile computer storage media. In some embodiments,the memory 410 stores data relating to connecting a remote unit to amobile core network via a non-3GPP access network, for example aprotocol stacks, messages, security keys, remote unit identities, remoteunit context, and the like. In some embodiments, the memory 410 alsostores program code and related data, such as an operating system orother controller algorithms operating on the remote unit 105 and one ormore software applications.

The input device 415, in one embodiment, may include any known computerinput device including a touch panel, a button, a keyboard, a stylus, amicrophone, or the like. In some embodiments, the input device 415 maybe integrated with the display 420, for example, as a touchscreen orsimilar touch-sensitive display. In some embodiments, the input device415 includes a touchscreen such that text may be input using a virtualkeyboard displayed on the touchscreen and/or by handwriting on thetouchscreen. In some embodiments, the input device 415 includes two ormore different devices, such as a keyboard and a touch panel.

The display 420, in one embodiment, may include any known electronicallycontrollable display or display device. The display 420 may be designedto output visual, audible, and/or haptic signals. In some embodiments,the display 420 includes an electronic display capable of outputtingvisual data to a user. For example, the display 420 may include, but isnot limited to, an LCD display, an LED display, an OLED display, aprojector, or similar display device capable of outputting images, text,or the like to a user. As another, non-limiting, example, the display420 may include a wearable display such as a smart watch, smart glasses,a heads-up display, or the like. Further, the display 420 may be acomponent of a smart phone, a personal digital assistant, a television,a table computer, a notebook (laptop) computer, a personal computer, avehicle dashboard, or the like.

In certain embodiments, the display 420 includes one or more speakersfor producing sound. For example, the display 420 may produce an audiblealert or notification (e.g., a beep or chime). In some embodiments, thedisplay 420 includes one or more haptic devices for producingvibrations, motion, or other haptic feedback. In some embodiments, allor portions of the display 420 may be integrated with the input device415. For example, the input device 415 and display 420 may form atouchscreen or similar touch-sensitive display. In other embodiments,the display 420 may be located near the input device 415.

The AN interface 425, in one embodiment, is a network interface forcommunicating with the non-3GPP access network. In some embodiments, theprocessor 405 performs the first authentication procedure with remoteunit 105 via the AN interface 425. The AN interface 425 may include aplurality of interfaces, such as the NWt and NWu interfaces discussedabove with reference to FIG. 2. In some embodiments, the AN interface425 may include a STa interface for communicating with an AAA proxy 230in a trusted non-3GPP access network 210, as discussed above withreference to FIG. 2. The AN interface 425 may include hardware circuitryand/or software code for communicating with the non-3GPP access network.

The CN interface 430, in one embodiment, is a network interface forcommunicating with the mobile core network 130. In some embodiments, theprocessor 405 performs the 3GPP attachment procedure with the mobilecore network 130, on behalf of the remote unit 105, via the CN interface430. The CN interface 430 may support a plurality of interfaces, such asthe NG2 (control plane) and NG3 (user plane) interfaces discussed abovewith reference to FIG. 2. The CN interface 430 may include hardwarecircuitry and/or software code for communicating with the mobile corenetwork 130. In some embodiments, the apparatus 400 communicates with asingle control plane function of the CP functions 140 when attaching aremote unit 105. In other embodiments, the apparatus 400 communicateswith a plurality of functions of the CP functions 140 when attaching theremote unit 105.

FIG. 5 is a schematic flow chart diagram illustrating one embodiment ofa method 500 for connecting a remote unit to a mobile core network via anon-3GPP access network using an interworking entity, according toembodiments of the disclosure. In some embodiments, the method 500 isperformed by an apparatus, such as the interworking entity 135, N3IWF225, or apparatus 400. In certain embodiments, the method 500 may beperformed by a processor executing program code, for example, amicrocontroller, a microprocessor, a CPU, a GPU, an auxiliary processingunit, a FPGA, or the like.

The method 500 may include initiating 505, by the interworking entity, afirst authentication procedure with a remote unit over a non-3GPP accessnetwork (“N3AN”). In one embodiment, the processor 405 initiates 505 viathe access network interface 425 the first authentic procedure with aremote unit 105. The N3AN may be a WLAN. In one embodiment, the N3AN isa trusted WLAN access network (“TWAN”) and the first authentic procedureis an EAP-AKA′ procedure sent via a NWt interface. In anotherembodiment, the N3AN is an untrusted WLAN access network (“UTWAN”) andthe first authentication procedure is an EAP-AKA′ procedure embeddedwithin a IKEv2 procedure sent via a NWu interface.

In certain embodiments, initiating 505 the first authenticationprocedure includes the interworking entity requesting a subscriberidentity of the remote unit. In one embodiment, the subscriber identityis an IMSI belonging to the remote unit. In some embodiments, theinterworking entity receives a subscriber identity response thatcontains both a subscriber identity and slice selection information. Inone embodiment, the subscriber identity response contains a decoratedidentity, the decorated identity combining the subscriber identity and aslice selection information into a single value.

The method 500 includes sending 510, by the interworking entity, anattach request to a mobile core network on behalf of the remote unit. Inone embodiment, the processor 405 sends 510 via a core network interface430 (e.g., using a logical NG2 interface) an attach request to themobile core network 130 on behalf of the remote unit 105. In certainembodiments, an attach proxy (such as the attach proxy 615 describedbelow) sends 510 the attach request to the mobile core network 130 onbehalf of the remote unit 105. In certain embodiments, sending 510 theattach request includes sending the attach request to one or morecontrol plane functions 140 in the mobile core network 130.

In some embodiments, sending 510 the attach request includes sending thesubscriber identity and (optionally) an identity of the N3AN within theattach request. Additionally, the attach request may indicate anattachment is being made over the N3AN. In certain embodiments, themobile core network 130 may include two or more network slices. In suchembodiments, the interworking entity may receive slice selectioninformation from the remote unit, wherein sending 510 the attach requestincludes sending the attach request to particular network slice in themobile core network based on the slice selection information.

The method 500 includes receiving 515, at the interworking entity, andattachment authentication request from the mobile core network. In oneembodiment, the processor 405 receives 515 the attachment authenticationrequest from the mobile core network 130 via the NG2 interface. Incertain embodiments, the attachment authentication request is part of a5G attachment procedure and is received 515 in response to sending 510the attach request.

In some embodiments, the attachment authentication request includestransient security keys for protecting messages from the firstauthentication procedure communicated between the remote unit 105 andthe interworking entity 135. For example, the transient security keysmay be transient EAP keys, including a K_aut key and a K_encr keygenerated as specified in RFC 5448. Protecting messages of the firstauthentication procedure includes authenticating the identity of amessage originator (e.g., to prevent man-in-the-middle attacks) andencrypting some sensitive parts of the authentication messages, such asa temporary identity assigned the remote unit 105.

The method 500 includes transforming 520, by the interworking entity,the attachment authentication request into an authentication request ofthe first authentication procedure. In one embodiment, the processor 405transforms 520 the attachment authentication request into theauthentication request of the first authentication procedure. In certainembodiments, an attach proxy (such as the attach proxy 615) transforms520 the attachment authentication request into the authenticationrequest of the first authentication procedure. In one embodiment, theattachment authentication request is a 3GPP authentication request andthe authentication request of the first authentication procedure is aEAP-AKA′ challenge message. In such an embodiment, 520 the attachmentauthentication request includes parsing parameters from the 3GPPauthentication request and generating an EAP-AKA′ challenge messageusing the parsed parameters.

The method 500 includes using 525, by the interworking entity, anauthentication response of the first authentication procedure tocomplete attachment to the mobile core network. In one embodiment, theprocessor 405 uses 525 the authentication response of the firstauthentication procedure to complete attachment of the remote unit 105to the mobile core network 130. In certain embodiments, an attach proxy(such as the attach proxy 615) uses 525 the authentication response ofthe first authentication procedure (e.g., an EAP-AKA′ authenticationprocedure) to complete 3GPP attachment of the remote unit 105 to themobile core network 130. In some embodiments, completing attachment tothe mobile core network 130 includes the interworking entity 135receiving attach accept message from the mobile core network 130 inresponse to the 3GPP attachment authentication response. In certainembodiments, the interworking entity 135 also receives security keys forprotecting the user traffic over the N3AN. For example, the interworkingentity may receiver an Initial Context Setup Response message over theNG2 interface that contains an Attach Accept message and a securitycontext containing one or more security keys.

In one embodiment, the authentication response of the firstauthentication procedure is an EAP-AKA′ challenge response. In such anembodiment, using 525 the EAP-AKA′ challenge response to completeattachment to the mobile core network 130 includes the interworkingentity 135 generating a 3GPP attachment authentication response usingthe EAP-AKA′ challenge response and sending the 3GPP attachmentauthentication response to one or more control plane functions 140 ofthe mobile core network 130. Additionally, completing attachment to themobile core network 130 may include the interworking entity 135 sendingthe remote unit 105 a EAP-AKA′ notification that includes a networkaddress of the interworking entity 135.

In some embodiments, the interworking entity creates a security key inresponse to completing attachment to the mobile core network 130.Additionally, the interworking entity may use the security key toestablish a secure connection with the remote unit 105 in response tocompleting attachment to the mobile core network 130. In response toestablishing the secure connection, the interworking entity may relayNAS messages between the remote unit 105 and the mobile core network130. In one embodiment, the secure connection is a datagram transportlayer security (“DTLS”) connection and the security key is used as apre-shared key to establish the DTLS connection.

In certain embodiments, the interworking entity generates a remote unitcontext in response to completing attachment to the mobile core network130. Here, the remote unit context including a network address of theremote unit 105, a subscriber identity of the remote unit 105, and oneor more EAP-AKA′ identities of the remote unit 105.

FIG. 6 depicts a protocol architecture 600 for a UE 205 connecting to amobile core network 130 via a trusted WLAN access network 610 and aN3IWF 225, according to embodiments of the disclosure. The UE 205 issubstantially as described above with reference to FIGS. 2 and 3. The UE205 may be one embodiment of the remote unit 105 described above withreference to FIG. 1. The mobile core network 130 is substantially asdescribed above with reference to FIGS. 1-3 and includes one or more CPfunctions 140. The trusted WLAN access network (“TWAN”) 610 is anembodiment of the WLAN AN 110 and the trusted non-3GPP access network210 described above with reference to FIGS. 1-3. The N3IWF 225 issubstantially described above with reference to FIGS. 2-3. Additionally,the N3IWF 225 may be one embodiment of the interworking entity 135discussed above with reference to FIGS. 1, 4, and 5.

As depicted, the UE 205 communicates with the TWAN 610 over a NWtinterface. The protocol stack of the UE 205 includes WLAN layers 601, anIPv4/v6 layer 603, an EAP over LAN (“EAPoL”) layer 605, and an EAP layer607. The WLAN layers 601 include both a physical layer (layer 1) anddata link layer (layer 2) and terminate at the TWAN 610. The TWAN 610has corresponding layer 1 and layer 2 terminating at the N3IWF 225 basedon its connection with the N3IWF 225. For simplicity, layers 2 and 1 aredepicted as combined L2/L1 layers 619.

The EAPoL layer 605 terminates at the TWAN 610 and the TWAN 610 has aAAA layer 617 which terminates at the N3IWF 225. In some embodiments,the TWAN 610 includes an AAA proxy 230 which operates at the AAA layer617. As depicted, each of the UE 205 in the N3IWF 225 includes an EAPlayer 607 terminating at the TWAN 610.

The protocol stack of the UE 205 also includes an EAP-AKA′ layer 609which relates to the TWAN 610 and terminates at the N3IWF 225. Above theEAP-AKA′ layer 609, the UE 205 includes an adaptation layer 611. Theadaptation layer 611 enables operation of the NAS layer 613 overEAP-AKA′. As depicted, the CP functions 140 also include a NAS layer613.

The protocol stack of the N3IWF 225 includes an attach proxy 615. Theattach proxy 615 performs interworking between the EAP-AKA′ signalingand the NG2 signaling. As depicted, the N3IWF 225 includes NG2 lowerlayers 621 and a NG2 application protocol (“AP”) layer 623. The NG2lower layers 621 and NG2 AP layer 623 terminate at the CP functions 140.As discussed above, the N3IWF 225 communicates with the CP functions 140using the NG2 interface. The attach proxy 615 initiates an attachprocedure toward the CP functions 140 on behalf of the UE 205. Thus, theUE 205 attaches to the mobile core network 130 in parallel withperforming the EAP-AKA′ procedure, as discussed in greater detail belowwith reference to FIGS. 10A-B.

FIG. 7 illustrates one embodiment of a protocol architecture 700 forexchanging NAS signaling between the UE 205 and the CP functions 140 viathe TWAN 610, according to embodiments of the disclosure. The protocolarchitecture 700 occurs after the UE 205 attaches to the mobile corenetwork 130. As discussed below, FIGS. 10A-B describe an attachmentprocedure used to transition from the protocol architecture 600 to theprotocol architecture 700.

After the UE 205 completes the EAP-AKA′ procedure and attaches to themobile core network 130, the UE 205 may exchange NAS signaling (at theNAS layer 613) with the CP functions 140 over the logical NG1 interface.The UE 205 may use the NG1 interface to request data connection, alsoknown as a PDU session, e.g., to communicate with an external datanetwork through the user plane of the mobile core network 130 and viathe TWAN 610. Note that the NAS layer 613 in the UE 205 is designed tooperate over the radio resource control (“RRC”) layer, for example,where the UE 205 attaches to the mobile core network 130 over the mobileRAN 120. Here, the adaptation layer 611 performs all the adaptationfunctionality required to enable the operation of NAS layer 613 overDTLS/UDP/IP.

As depicted, the protocol stack of the UE 205 includes WLAN layers 601and an IPv4/v6 layer 603 that interface with the N3IWF 225 via the TWAN610. Additionally, the UE 205 and N3IWF 225 include a user datagramprotocol (“UDP”) layer 701 and a Datagram Transport Layer Security(“DTLS”) layer 703. The UDP layer 701 is a transport layer, while theDTLS layer 703 provides communication security for UDP datagrams. Asdiscussed in greater detail below, the UE 205 and the N3IWF 225 deriveDTLS (pre-shared) keys from the security context received from the CPfunctions 140 during the attach procedure.

The adaptation layer 611 receives the IP address of N3IWF 225 from theN3IWF 225 and establishes a secure DTLS tunnel with the N3IWF 225.Mutual authentication is applied for this DTLS tunnel.

FIG. 8 depicts a protocol architecture 600 for a UE 205 connecting to amobile core network 130 via an untrusted WLAN access network 810 and aN3IWF 225, according to embodiments of the disclosure. The UE 205 issubstantially as described above with reference to FIGS. 2-3 and 6-7.The UE 205 may be one embodiment of the remote unit 105 described abovewith reference to FIG. 1. The mobile core network 130 is substantiallyas described above with reference to FIGS. 1-3 and includes one or moreCP functions 140. The untrusted WLAN access network (“TWAN”) 810 is anembodiment of the WLAN AN 110 and the untrusted non-3GPP access network215 described above with reference to FIGS. 1-3. The N3IWF 225 issubstantially described above with reference to FIGS. 2-3 and 6-7.Additionally, the N3IWF 225 may be one embodiment of the interworkingentity 135 discussed above with reference to FIGS. 1, 4, and 5.

As depicted, the UE 205 communicates with the UTWAN 810 over a NWtinterface. The protocol stack of the UE 205 includes WLAN layers 601, anIPv4/v6 layer 603, a UDP layer 701, an IKEv2 layer 801, and an EAP layer607. The WLAN layers 601 include both a physical layer (layer 1) anddata link layer (layer 2) and terminate at the UTWAN 810. The UTWAN 810has corresponding L2/L1 layers 619 terminating at the N3IWF 225.

The protocol stack of the UE 205 also includes an IPv4/v6 layer 603, anIKEv2 layer 801, and an EAP-AKA′ layer 609 which relate to the UTWAN 810and terminate at the N3IWF 225. The IKEv2 layer 801 allows forestablishment of an IKEv2/IPSec connection to the N3IWF. EAP-AKA′signaling is transmitted over the IKEv2/IPSec connection, embedded inIKEv2 authentication messages. The IKEv2 protocol runs on top of UDP,and the EAP-AKA′ protocol runs on top of IKEv2. Above the EAP-AKA′ layer609, the UE 205 includes an adaptation layer 611. The adaptation layer611 enables operation of the NAS layer 613 over EAP-AKA′/IKEv2/UDP. Asdepicted, the CP functions 140 also include a NAS layer 613.

The protocol stack of the N3IWF 225 includes an attach proxy 615. Theattach proxy 615 performs interworking between the EAP-AKA′ signalingand the NG2 signaling. As depicted, the N3IWF 225 includes NG2 lowerlayers 621 and a NG2 application protocol (“AP”) layer 623. The NG2lower layers 621 and NG2 AP layer 623 terminate at the CP functions 140.As discussed above, the N3IWF 225 communicates with the CP functions 140using the NG2 interface. The attach proxy 615 initiates an attachprocedure toward the CP functions 140 on behalf of the UE 205. Thus, theUE 205 attaches to the mobile core network 130 in parallel withperforming an EAP-AKA′-over-IKEv2 authentication procedure, as discussedin greater detail below with reference to FIGS. 11A-B.

FIG. 9 illustrates one embodiment of a protocol architecture 900 forexchanging NAS signaling between the UE 205 and the CP functions 140 viathe UTWAN 810, according to embodiments of the disclosure. The protocolarchitecture 900 occurs after the UE 205 attaches to the mobile corenetwork 130. As discussed below, FIGS. 11A-B describe an attachmentprocedure used to transition from the protocol architecture 800 to theprotocol architecture 900.

After the UE 205 completes the EAP-AKA′ procedure and attaches to themobile core network 130, the UE 205 may exchange NAS signaling (at theNAS layer 613) with the CP functions 140 over the logical NG1 interface.The UE 205 may use the NG1 interface to request data connection (PDUsession) to communicate with an external data network through the userplane of the mobile core network 130 and via the UTWAN 810. Note thatthe NAS layer 613 in the UE 205 is designed to operate over the RRClayer, for example, where the UE 205 attaches to the mobile core network130 over the mobile RAN 120. Here, the adaptation layer 611 performs allthe adaptation functionality required to enable the operation of NASlayer 613 over IP/ESP/IPSec.

As described below, with reference to FIGS. 11A-B, the UE 205 attachesto the mobile core network 130 (via the CP functions 140) using EAP-AKA′via IKEv2 signaling. During attachment, the UE 205 establishes an IPsectunnel with the N3IWF 225. This IPsec tunnel is supported at theencapsulating security payload (“ESP”)/IPsec layer 901. Again, theadaptation layer 611 enables the operation of the NAS layer 613 overnon-RRC protocols, here the ESP/IPsec layer 901 and IP layer 903. Theadaptation layer 611 discovers the IP address of the N3IWF 225,establishing the IP layer 903. The protocol architecture 900 allows theUE 205 to request a PDU session over the logical NG1 interface whileattached to the mobile core network 130 via the UTWAN 810.

FIG. 10A-10B illustrate a signaling procedure 1000 for connecting to amobile core network 130 via a trusted WLAN access network 610. Thesignaling procedure 1000 depicts actions performed by and communicationsamong the UE 205, the TWAN 610, the N3IWF 225, and the mobile corenetwork 130. The UE 205, the TWAN 610, the N3IWF 225, and the mobilecore network 130 are substantially as described above with reference toFIGS. 1-2 and 5-7. The signaling procedure 1000 depicts how the UE 205is authenticated by the CP functions 140 of the mobile core network 130(via the NG2 interface) and is authorized to access the TWAN 610. Insome embodiments, the N3IWF 225 communicates with a single control planefunction of the CP functions 140 when attaching and authenticating theUE 205. In other embodiments, the N3IWF 225 communicates with aplurality of functions of the CP functions 140 when attaching andauthenticating the UE 205.

Beneficially, steps 1002-1050 below do not require new UE capabilities.Steps 1002-150 may be performed by any UE 205 supporting EAP-AKA′ inorder to connect to a trusted WLAN access network (e.g., the TWAN 610)after being authenticated and authorized by its home PLMN (e.g., themobile core network 130). Such a legacy UE 205 will be able to use theTWAN 610 only for Non-Seamless WLAN Offload (“NSWO”) traffic.

At 1002, the UE 205 discovers and authenticates with the TWAN 610. TheUE 205 applies normal EAP-AKA′ procedures to connect to the TWAN 610. At1004, the UE 205 associates with the TWAN 610 according to existingprocedures.

At 1006, the TWAN 610 begins an IEEE 802.1x access control procedure bytransmitting an EAP-REQ/Identity request. Note that 802.1x messages(e.g., EAP-over-LAN) are not shown in the signaling procedure 1000. At1008, the UE 205 provides an identity along with a realm, which isprimarily used for routing purposes. Based on the provided realm, theTWAN 610 routes the EAP-RSP/Identity message to the N3IWF 225. At 1010,the N3IWF 225 then requests a specific identity (e.g., a permanent ortemporary subscriber identity) from the UE 205. Note that, from the TWAN610 point of view, the N3IWF 225 serves as an AAA server, encapsulatingthe EAP-AKA′ signaling within AAA messages.

In some embodiments, the mobile core network 130 includes multiplenetwork slices. If the UE 205 supports network slice selection overtrusted WLAN access, then the UE 205 may provide slice selection“assistance information” to the N3IWF 225. In one embodiment, the UE 205provides the slice selection information by decorating the providedidentity with slice selection “assistance information.” This “assistanceinformation” is used by the N3IWF 225 to select a suitable network slicefor the UE 205.

For example, based on the slice selection “assistance information” theN3IWF 225 may select a slice optimized for IoT operation. Thus, if theUE 205 has the IMSI identity “295023820005424,” then the UE 205 mayprovide a decorated IMSI identity of “295023820005424%iot”. Here, “%” isa special character reserved to separate the IMSI identity from theslice selection ‘assistance information’ which, in this example, is‘iot’. As will be appreciated by one of skill in the art, the specialcharacter is not limited to “%”, it may be any suitable characterreserved to distinguish the subscriber identity from the slice selectioninformation.

Alternatively, instead of decorating the UE identity, a new EAP-AKA′attribute e.g., parameter or information element within a EAP-AKA′identity message) may be defined that carries the slice selection“assistance information” from the UE. At 1012, the UE 205 transmits anEAP-AKA′ identity response, here depicted as containing slice selectioninformation, and the TWAN 610 forwards the identity response to theN3IWF 225. At 1014, the N3IWF 225 performs network slice selection basedon the slice selection information.

At 1016, the attach proxy 615 in the N3IWF 225 creates an initial UEmessage containing an attach request message on behalf of the UE 205.The attach request message includes the received subscriber identity ofthe UE 205. The attach request message also includes a “type”information element (IE) indicating that the attachment is over atrusted non-3GPP access network (e.g., the TWAN 610). The attach requestmessage may further include the identity (e.g., ESSID) of the TWAN 610.

The attach request message is used to authenticate the UE 205 andauthorize access to the TWAN 610. In certain embodiments, the attachrequest message omits information elements specific to 3GPP (RAN)access, such as old location area identity (“LAI”), UE networkcapabilities, discontinuous reception (“DRX”) parameters, and the like.

At 1018, the mobile core network 130 obtains authentication vectors.Here, the CP functions 140 consult with the HSS 150 to obtain theauthentication vectors. At 1020, the CP functions 140 of the mobile corenetwork 130 derive keying material.

At 1022, the CP functions 140 send a DL NAS transport message to theN3IWF 225 over the NG2 interface, the DL NAS transport messagecontaining an authentication request. The authentication request is partof the 3GPP attach procedure and includes a random value (“RAND”), anauthentication parameter (“AUTN”), and a plurality of transient EAP keys(“TEKs”). Specifically, the N3IWF 225 receives authentication key(“K_aut”) and encryption key (“K_encr”) TEKs which are used to protectthe EAP-AKA′ signaling between the UE 205 and N3IWF 225. In certainembodiments, the TEKs keys are included in the Authentication Requestonly when the type IE in the Attach Request indicates non-3GPP access.

At 1024, the N3IWF 225 sends an EAP-AKA′ authentication message (here anEAP-REQ/AKA-Challenge message) to UE 205. The RAND and AUTN parametersreceived at 1022 are included in this message. Also, the EAP-AKA′authentication message includes a message authentication code attribute(“AT_MAC”) calculated based on the K_aut key received at 1022. If thereis need to send encrypted parameters to the UE 205 (e.g., inside aAT_ENCR_DATA attribute), these parameters are encrypted based on theK_encr key received at 1022.

At 1026, the UE 205 verifies the AUTN, generates the session keys (e.g.,a master session key (“MSK”), an extended master session key (“EMSK”),the K_aut key, the K_encr key, etc.) and derives a result (RES) to theEAP-AKA′ authentication message (e.g., the EAP-REQ/AKA-Challengemessage) containing a result attribute (“AT_RES”). At 1028 the UE 205sends an EAP-AKA′ authentication response (here an EAP-REQ/AKA-Challengeresponse) to the N3IWF 225. At 1030, the N3IWF derives a 3GPPAuthentication Response message containing the result (RES) receivedfrom the EAP-AKA′ response. The N3IWF 225 also sends the 3GPPAuthentication Response message to the CP functions 140 over NG2.

At 1032, the CP functions 140 verify the result (RES). If the result(RES) is correct, the CP functions 140 respond with an Attach Acceptmessage at 1034 (shown embedded in a “Initial Context Setup Request”message). This Attach Accept message may include parameters (referred toas IEs in FIG. 10B) to be transferred to the UE 205. For example, theAttach Accept message may include a temporary UE identity. Additionally,the “Initial Context Setup Request” message may include security contextcontaining the session keys (e.g., MSK, EMSK) previously derived by theUE 205 and which are needed to protect the WLAN air interface traffic.

At 1036, the N3IWF 225 derives a “DTLS key” (e.g., from the EMSK) to beused at a later point for the establishment of a secure DTLS connectionwith the UE 205. As used herein, the “DTLS key” refers to a security keyused as a pre-shared key to establish the DTLS connection. Note that thesame DTLS key is also derived by the UE 205 after the successfulauthentication. At 1038, the N3IWF 225 sends an EAP-AKA′ notificationmessage (here a EAP-REQ/AKA-Notification message) to the UE 205 whichincludes the address of N3IWF 225 and other parameters (IEs) that wereincluded in the Attach Accept message (e.g., a new temporary identity).Note that a legacy UE 205 will ignore the address of N3IWF and the otherparameters (IEs).

At 1040, the UE 205 responds with EAP-AKA′ notification response (herean EAP-RES/AKA-Notification) which triggers the N3IWF 225 to send anAttach Complete message to CP functions 140 at 1042. At 1044, theEAP-AKA′ authentication procedure completes with an EAP-Success message.The MSK is further transferred to the TWAN 610 (also at 1044) in orderto derive the Pairwise Master Key (PMK), as defined in the IEEE 802.11specification.

At 1046, the N3IWF 225 creates a UE Context which stores informationsuch as the UE MAC address, the UE temporary identity (included in theAttach Accept message), the EAP-AKA′ identities of the UE 205 (e.g. apseudonym and/or fast re-authentication identities), and the like. Atthis point, the UE 205 is connected to (e.g., associated with) the TWAN610 and can establish layer-3 connectivity at 1048, e.g., by receivingan IPv4 address via DHCP. At 1050, the UE 205 can then use the TWAN 610for NSWO traffic.

Note that the above steps of the signaling procedure 1000 do not requirenew UE capabilities and thus may be performed by a legacy UE 205.However, steps 1052-1056 require new UE capabilities.

At 1052, the UE 205 derives the DTSL key as discussed above, in responseto the successful authentication of the UE 205 at the mobile corenetwork 130. At 1054, the adaptation layer 611 in the UE 205 establishesa secure DTLS connection to the N3IWF 225 by using the security keyderived in step 1052 as a DTLS pre-shared key. The adaptation layer 611in the UE 205 initiates the DTLS connection to the address of N3IWF 225received in step 1038.

At 1056, the adaptation layer 611 in the UE 205 notifies the NAS layer613 that a 3GPP attach via trusted WLAN access (e.g., the TWAN 610) iscompleted. The adaptation layer 611 also provides to the NAS layer 613the IEs provided by the mobile core network 130 in the Attach Acceptmessage (e.g., as received by the UE 205 at 1038). At this point, theNAS layer 613 in the UE 205 may initiate NAS signaling with the CPfunctions 140 in the network, e.g., in order to setup a PDU session overWLAN access.

FIG. 11A-11B illustrate a signaling procedure 1100 for connecting to amobile core network 130 via an untrusted WLAN access network 810. Thesignaling procedure 1100 depicts actions performed by and communicationsamong the UE 205, the UTWAN 810, the N3IWF 225, and the mobile corenetwork 130. The UE 205, the UTWAN 810, the N3IWF 225, and the mobilecore network 130 are substantially as described above with reference toFIGS. 1-2 and 8-9. The signaling procedure 1100 depicts how the UE 205connects to the UTWAN 810 and then establishes an IPsec connection toN3IWF 225 which is authenticated by and attached to the mobile corenetwork 130 (via the NG2 interface). In some embodiments, the N3IWF 225communicates with a single control plane function of the CP functions140 when attaching and authenticating the UE 205. In other embodiments,the N3IWF 225 communicates with a plurality of functions of the CPfunctions 140 when attaching and authenticating the UE 205. The IPsecconnection may later be used to exchange NAS signaling messages betweenthe UE 205 and the CP functions 140 in the mobile core network 130.

At 1102, the UE 205 discovers and associates with the UTWAN 810according to existing procedures. Where needed, the UE 205 isauthenticated by the UTWAN 810 at 1104. This authentication is not a3GPP-based authentication because the UTWAN 810 is not a trustednon-3GPP access network and it may not support 3GPP-basedauthentication. The UE 205 may use any non-3GPP method to authenticateand connect with the UTWAN 810. For example, the UE 205 may connect tothe UTWAN 810 without authentication in the case of open (free) WLAN asan example, the UE 205 may authenticate with the UTWAN 810 via EAP withthe pre-shared key, using a username/password combination, and the like.

At 1106, the UE 205 is connected to the UTWAN 810 and can establishlayer 3 connectivity, for example by receiving an IP address via DynamicHost Configuration Protocol (“DHCP”). At 1108, the UE 205 needs todiscover the idea IP address of the N3IWF 255. Here, UE 205 may performan ePDG discovery procedure (e.g., as specified in 3GPP TS 23.402) inorder to discover the N3IWF 225.

At 1110, the NAS layer 613 sends an attach request to the adaptationlayer 611. In response to the attach request, the adaptation layer 611initiate the establishment of a secure IPsec tunnel between the UE 205and the N3IWF 225. The adaptation layer 611 does not forward the attachrequest received from the NAS layer 613. Rather, the adaptation layer611 initiates IKEv2 procedures to establish the secure IPsec tunnel.

At 1112, the UE 205 and the N3IWF 225 exchange security associationinitiation messages (here “IKE_SA_INIT” messages). At 1114, the UE 205sends an IKEv2 authentication request message (here an “IKE_AUTHRequest” message) to the N3IWF 225. Here, the authentication request mayinclude an identity of the UE 205. However, at 1116, the N3IWF 225 sendsa EAP-AKA′ identity request to the UE 205 within the IKEv2 signaling(here embedded in an “IKE_AUTH Response” message). As discussed abovewith reference to FIG. 10 a, the N3IWF 225 may request a specificidentity from the UE 205.

At 1118, the UE 205 sends an EAP-AKA′ identity response to the N3IWF 225which contains the subscriber identity of the UE 205 (e.g., an IMSI).Optionally, the EAP-AKA′ identity response may also include sliceselection information, for example as a decorated identity or as aseparate attribute, as discussed above with reference to FIG. 10A. Notethat the UE 205 embeds the EAP-AKA′ identity response within an IKEv2authentication request message. At 1120, the N3IWF 225 performs networkslice selection based on the slice selection information.

At 1122, the attach proxy 615 in the N3IWF 225 creates an initial UEmessage containing an attach request message on behalf of the UE 205.Note here that this is a separate attach request message than thatgenerated by the NAS layer 613 at 1110. However, it includes the samesubscriber identity as the subscriber identity in the attach request at1110. The attach proxy 615 creates the new attach request message onbehalf of the UE 205 in response to the EAP-AKA′ identity responsemessage. The attach request message is used to authenticate the UE 205and authorize the establishment of the IPsec tunnel to N3IWF 225.

The attach request message includes the received subscriber identity ofthe UE 205. The attach request message also includes a “type”information element (IE) indicating that the attachment is over anuntrusted non-3GPP access network (e.g., the UTWAN 810). The attachrequest message may further include the identity (e.g., ESSID) of theUTWAN 810. In certain embodiments, the attach request message omitsinformation elements specific to 3GPP (RAN) access, such as old locationarea identity (“LAI”), UE network capabilities, discontinuous reception(“DRX”) parameters, and the like.

At 1124, the mobile core network 130 obtains authentication vectors.Here, the CP functions 140 consult with the HSS 150 to obtain theauthentication vectors. At 1126, the CP functions 140 of the mobile corenetwork 130 derive keying material.

Referring now to FIG. 11B, the CP functions 140 send a DL NAS transportmessage containing an authentication request to the N3IWF 225 over theNG2 interface at 1128. The authentication request is part of the 3GPPattach procedure and includes a random value (“RAND”), an authenticationparameter (“AUTN”), and a plurality of transient EAP keys (“TEKs”).Specifically, the N3IWF 225 receives authentication key (“K_aut”) andencryption key (“K_encr”) TEKs which are used to protect the EAP-AKA′signaling between the UE 205 and N3IWF 225. In certain embodiments, theTEKs keys are included in the Authentication Request only when the typeIE in the Attach Request indicates non-3GPP access.

At 1130, the N3IWF 225 sends an EAP-AKA′ authentication message (here anEAP-REQ/AKA-Challenge message) to UE 205. Note that the EAP-AKA′authentication message is embedded within the IKEv2 signaling (here anIKE authentication response message). The RAND and AUTN parametersreceived at 1128 are included in this message. Also, the EAP-AKA′authentication message includes a message authentication code attribute(“AT_MAC”) calculated based on the K_aut key received at 1128. If thereis need to send encrypted parameters to the UE 205 (e.g., inside aAT_ENCR_DATA attribute), these parameters are encrypted based on theK_encr key received at 1128.

At 1132, the UE 205 verifies the AUTN, generates the session keys (e.g.,a master session key (“MSK”), an extended master session key (“EMSK”),the K_aut key, the K_encr key, etc.) and derives a result (RES) to theEAP-AKA′ authentication message (e.g., the EAP-REQ/AKA-Challengemessage) containing a result attribute (“AT_RES”). At 1134 the UE 205sends an EAP-AKA′ authentication response (here an EAP-REQ/AKA-Challengeresponse) to the N3IWF 225. Note that the EAP-AKA′ authenticationresponse is embedded within the IKEv2 signaling (here an IKEauthentication request message). At 1136, the N3IWF derives a 3GPPAuthentication Response message containing the result (RES) receivedfrom the EAP-AKA′ response. The N3IWF 225 also sends the 3GPPAuthentication Response message to the CP functions 140 over NG2.

At 1138, the CP functions 140 verify the result (RES). If the result(RES) is correct, the CP functions 140 respond with an Attach Acceptmessage at 1140 (shown embedded in a “Initial Context Setup Request”message). This Attach Accept message may include parameters (referred toas IEs in FIG. 10B) to be transferred to the UE 205. For example, theAttach Accept message may include a temporary UE identity. Additionally,the Initial Context Setup Request message may include security contextcontaining the session keys (e.g., MSK, EMSK) previously derived by theUE 205 and which are needed to protect the WLAN air interface traffic.

At 1142, the N3IWF 225 sends an EAP-AKA′ notification message (here aEAP-REQ/AKA-Notification message embedded within a IKEv2 authenticationresponse) to the UE 205 which includes the parameters (IEs) that wereincluded in the Attach Accept message (e.g., a new temporary identity).Note that a legacy UE 205 will ignore the other parameters (IEs).

At 1144, the UE 205 responds with an EAP-AKA′ notification response(here an EAP-RES/AKA-Notification embedded within a IKEv2 authenticationrequest) which triggers the N3IWF 225 to send an Attach Complete messageto CP functions 140 at 1146. At 1148, the EAP-AKA′ authenticationprocedure completes with an EAP-Success message.

At 1150, the N3IWF 225 creates a UE Context which stores informationsuch as the UE IP address, the UE temporary identity (included in theAttach Accept message), the EAP-AKA′ identities of the UE 205 (e.g. apseudonym and/or fast re-authentication identities), and the like. Atthis point, the adaptation layer 611 in the UE 205 responds to the NASlayer 613 with the Attach Accept message. At this point, an IPsec tunnelis established between the UE 205 and N3IWF 225. At 1154, the IPsectunnel is used exchange NAS signaling between the UE 205 in the CPfunctions 140.

FIG. 12 depicts a method 1200 for connecting a remote unit to a mobilecore network via a non-3GPP access network, according to embodiments ofthe disclosure. In some embodiments, the method 1200 is performed by aninterworking function, such as the interworking entity 135 and/or theN3IWF 225. In certain embodiments, the method 1200 may be performed by aprocessor executing program code, for example, a microcontroller, amicroprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, orthe like.

The method 1200 begins and receives 1205, at the interworking entity, afirst authentication request from an access point in a non-3GPP accessnetwork, the first authentication request being part of a firstauthentication procedure and containing a subscriber identity of theremote unit. The method 1200 includes creating 1210, by the interworkingentity, a request on behalf of the remote unit, wherein the createdrequest is not present in the first authentication request and whereinthe created request includes the subscriber identity.

The method 1200 includes sending 1215, by the interworking entity, thecreated request to a mobile core network to initiate connection of theremote unit to the mobile core network. The method 1200 includesreceiving 1220, at an interworking entity, a second authenticationrequest from the mobile core network, wherein the second authenticationrequest is part of a NAS authentication procedure different than thefirst authentication procedure.

The method 1200 includes transforming 1225, by the interworking entity,the second authentication request into a third authentication request ofthe first authentication procedure. The method 1200 includes using 1230,by the interworking entity, an authentication response of the firstauthentication procedure to complete connection to the mobile corenetwork

Disclosed herein is a first apparatus for connecting a remote unit to amobile core network via a non-3GPP access network, according toembodiments of the disclosure. The first apparatus may be implemented byan interworking function, such as the interworking entity 135 and/or theN3IWF 225. The first apparatus includes a processor, a first networkinterface that communicates with a remote unit over a non-3GPP accessnetwork, and a second network interface that communicates with a mobilecore network. The processor initiates a first authentication procedurewith the remote unit over the non-3GPP access network and sends anattach request to the mobile core network on behalf of the remote unit.The processor receives an attachment authentication request from themobile core network and transforms the attachment authentication requestinto authentication request of the first authentication procedure. Theprocessor uses an authentication response of the first authenticationprocedure to complete attachment to the mobile core network.

In some embodiments, the processor initiates the first authenticationprocedure by requesting a subscriber identity of the remote unit. Incertain embodiments, the processor further receives a subscriberidentity response containing the subscriber identity and slice selectioninformation. Here, the processor sends the attach request to aparticular network slice in the mobile core network based on the sliceselection information, the mobile core network including at least twonetwork slices. In further embodiments, the subscriber identity responsecontains a decorated identity, the decorated identity combining thesubscriber identity and the slice selection information into a singlevalue.

In certain embodiments, the attach request includes the subscriberidentity and indicates an attachment over the non-3GPP access network.In further embodiments, the attach request includes an identity of thenon-3GPP access network.

In some embodiments, the non-3GPP access network is a trusted WLANcontaining at least one WLAN access point and the apparatus. In someembodiments, the attachment authentication request includes transientsecurity keys for protecting messages of the first authenticationcommunicated between the remote unit and the apparatus. In someembodiments, sending an attach request to the mobile core network onbehalf of the remote unit includes sending the attach request to acontrol plane function of the mobile core network.

In some embodiments, the processor further creates a security key inresponse to completing attachment to the mobile core network. In certainembodiments, the processor further establishes a secure connection withthe remote unit in response to completing attachment to the mobile corenetwork, wherein the secure connection is established by using thesecurity key.

In certain embodiments, the secure connection is a DTLS connection andthe security key is used as a pre-shared key to establish the DTLSconnection. In further embodiments, the processor relays Non-AccessStratum messages between the remote unit and the mobile core network inresponse to establishing the secure connection.

In some embodiments, the first authentication procedure is an EAP-AKA′procedure. In certain embodiments, the non-3GPP access network is anuntrusted wireless local area network and wherein the EAP-AKA′ procedureis embedded into an IKEv2 procedure. In certain embodiments, theauthentication request of the first authentication procedure is anEAP-AKA′ challenge message and the authentication response of the firstauthentication procedure is a EAP-AKA′ challenge response, wherein usingan authentication response of the first authentication procedure tocomplete attachment to the mobile core network includes the processorgenerating an attachment authentication response using the EAP-AKA′challenge response and sending the attachment authentication response toa control plane function of the mobile core network.

In certain embodiments, the processor further receives an attach acceptmessage from the mobile core network in response to the attachmentauthentication response and security keys for protecting user trafficover the non-3GPP access network. In certain embodiments, the processorfurther sends a EAP-AKA′ notification to the remote unit, the EAP-AKA′notification including a network address of the apparatus.

In some embodiments, the processor further generates a remote unitcontext in response to completing attachment to the mobile core network,the remote unit context including a network address of the remote unit,a subscriber identity of the remote unit, and one or more EAP-AKA′identities of the remote unit.

Disclosed herein is a first method for connecting a remote unit to amobile core network via a non-3GPP access network, according toembodiments of the disclosure. The first method may be performed by aninterworking function, such as the interworking entity 135 and/or theN3IWF 225. The first method includes initiating, at the interworkingentity, a first authentication procedure with a remote unit over anon-3GPP access network and sending, by the interworking entity, anattach request to a mobile core network on behalf of the remote unit.The first method includes receiving, at the interworking entity, anattachment authentication request from the mobile core network andtransforming, by the interworking entity, the attachment authenticationrequest into an authentication request of the first authenticationprocedure. The first method includes using, by the interworking entity,an authentication response of the first authentication procedure tocomplete attachment to the mobile core network.

In some embodiments, initiating the first authentication procedureincludes the interworking entity requesting a subscriber identity of theremote unit. In some embodiments, the first method further includes theinterworking entity receiving a subscriber identity response containingthe subscriber identity and slice selection information, wherein sendingan attach request to the mobile core network on behalf of the remoteunit includes the interworking entity sending the attach request to aparticular network slice in the mobile core network based on the sliceselection information, the mobile core network including at least twonetwork slices.

In certain embodiments, the subscriber identity response contains adecorated identity, the decorated identity combining the subscriberidentity and the slice selection information into a single value. Incertain embodiments, the attach request includes the subscriber identityand indicates an attachment over the non-3GPP access network. In oneembodiment, the attach request further includes an identity of thenon-3GPP access network.

In certain embodiments, the non-3GPP access network is a trusted WLANcontaining at least one WLAN access point and the interworking entity.In some embodiments, the attachment authentication request includestransient security keys for protecting messages of the firstauthentication procedure communicated between the remote unit and theinterworking entity. In some embodiments, sending an attach request tothe mobile core network on behalf of the remote unit includes theinterworking entity sending the attach request to a control planefunction of the mobile core network.

In some embodiments, the first method further includes the interworkingentity creating a security key in response to completing attachment tothe mobile core network. In certain embodiments, the first method alsoincludes the interworking entity establishing a secure connection withthe remote unit in response to completing attachment to the mobile corenetwork, wherein the secure connection is established using the securitykey.

In certain embodiments, the secure connection is a DTLS connection andthe security key is used as a pre-shared key to establish the DTLSconnection. In certain embodiments, the first method further includesthe interworking entity relaying NAS messages between the remote unitand the mobile core network in response to establishing the secureconnection. In some embodiments, the first authentication procedure isan EAP-AKA′ procedure. In certain embodiments, the non-3GPP accessnetwork is an untrusted wireless local area network and wherein theEAP-AKA′ procedure is embedded into an IKEv2 procedure.

In certain embodiments, the authentication request of the firstauthentication procedure is an EAP-AKA′ challenge message and theauthentication response of the first authentication procedure is aEAP-AKA′ challenge response, wherein using an authentication response ofthe first authentication procedure to complete attachment to the mobilecore network includes the interworking entity generating an attachmentauthentication response using the EAP-AKA′ challenge response andsending the attachment authentication response to a control planefunction of the mobile core network.

In certain embodiments, the first method may include the interworkingentity receiving an attach accept message from the mobile core networkin response to the attachment authentication response and security keysfor protecting user traffic over the non-3GPP access network. In certainembodiments, the first method may include the interworking entitysending a EAP-AKA′ notification to the remote unit, the EAP-AKA′notification including a network address of the interworking entity.

In some embodiments, the first method includes the interworking entitygenerating a remote unit context in response to completing attachment tothe mobile core network, the remote unit context including a networkaddress of the remote unit, a subscriber identity of the remote unit,and one or more EAP-AKA′ identities of the remote unit.

Disclosed herein is a second apparatus for connecting a remote unit to amobile core network via a non-3GPP access network, according toembodiments of the disclosure. The second apparatus may be implementedby an interworking function, such as the interworking entity 135 and/orthe N3IWF 225. The second apparatus includes a processor, a firstnetwork interface that communicates towards a remote unit over anon-3GPP access network, and a second network interface thatcommunicates with a mobile core network. The processor receives a firstauthentication request from an access point in the non-3GPP accessnetwork and containing a subscriber identity of the remote unit andcreates a request on behalf of the remote unit. Here, the firstauthentication request is part of a first authentication procedure,where the created request is not present in the first authenticationrequest and where the created request includes the subscriber identity.The processor sends the created request to the mobile core network toinitiate connection of the remote unit to the mobile core network andreceives a second authentication request from the mobile core network,where the second authentication request is part of a NAS authenticationprocedure different than the first authentication procedure. Theprocessor transforms the second authentication request into a thirdauthentication request of the first authentication procedure and uses anauthentication response of the first authentication procedure tocomplete connection of the remote unit to the mobile core network.

In some embodiments, the first authentication request contains sliceselection information, where the processor sends the created request toa particular network slice in the mobile core network based on the sliceselection information, the mobile core network including at least twonetwork slices. In some embodiments, where the first authenticationrequest contains a decorated identity, the decorated identity includingthe subscriber identity and the slice selection information.

In some embodiments, the access point is a WLAN access point, whereinthe non-3GPP access network is a trusted WLAN containing at least theWLAN access point and the apparatus. In some embodiments, the processorfurther creates a master key in response to completing connection to themobile core network, wherein the master key is used to secure thecommunication between the remote unit and the access point. In someembodiments, the first authentication procedure is an EAP-AKA′procedure.

In some embodiments, the first authentication request of the firstauthentication procedure is an EAP-Response identity message includingthe subscriber identity, wherein the second authentication request fromthe mobile core network is a NAS authentication request message, whereinthe third authentication request of the first authentication procedureincludes an EAP-AKA′ challenge request, and wherein the authenticationresponse of the first authentication procedure includes an EAP-AKA′challenge response.

In certain embodiments, using an authentication response of the firstauthentication procedure to complete connection to the mobile corenetwork includes the processor generating a NAS authentication responseusing the EAP-AKA′ challenge response message and sending the NASauthentication response to a control plane function of the mobile corenetwork. In certain embodiments, the processor further receives anaccept message from the mobile core network in response to sending theNAS authentication response to a control plane function of the mobilecore network. In certain embodiments, the processor transforms thesecond authentication request into a third authentication request of thefirst authentication procedure includes creating the EAP-AKA′ challengerequest using the information contained in the NAS authenticationrequest.

Disclosed herein is a second method for connecting a remote unit to amobile core network via a non-3GPP access network, according toembodiments of the disclosure. The second method may be performed by aninterworking function, such as the interworking entity 135 and/or theN3IWF 225. The second method includes receiving, at the interworkingentity, a first authentication request from an access point in anon-3GPP access network, the first authentication request being part ofa first authentication procedure and containing a subscriber identity ofthe remote unit. The second method includes creating, by theinterworking entity, a request on behalf of the remote unit, wherein thecreated request is not present in the first authentication request andwherein the created request includes the subscriber identity. The secondmethod includes sending, by the interworking entity, the created requestto a mobile core network to initiate connection of the remote unit tothe mobile core network. The second method includes receiving, at aninterworking entity, a second authentication request from the mobilecore network, wherein the second authentication request is part of a NASauthentication procedure different than the first authenticationprocedure. The second method includes transforming, by the interworkingentity, the second authentication request into a third authenticationrequest of the first authentication procedure. The second methodincludes using, by the interworking entity, an authentication responseof the first authentication procedure to complete connection to themobile core network.

In some embodiments of the second method, the first authenticationrequest contains slice selection information, wherein sending thecreated request to the mobile core network on behalf of the remote unitincludes the interworking entity sending the request to a particularnetwork slice in the mobile core network based on the slice selectioninformation, the mobile core network including at least two networkslices. In some embodiments of the second method, the firstauthentication request contains a decorated identity, the decoratedidentity including the subscriber identity and the slice selectioninformation.

In some embodiments of the second method, the access point is a WLANaccess point, wherein the non-3GPP access network is a trusted WLANcontaining at least the WLAN access point and the interworking entity.In some embodiments, the second method further including theinterworking entity creating a master key in response to completingconnection to the mobile core network, wherein the master key is used tosecure the communication between the remote unit and the access point.In some embodiments of the second method, the first authenticationprocedure is an EAP-AKA′ procedure.

In some embodiments of the second method, the first authenticationrequest of the first authentication procedure is an EAP-Responseidentity challenge message including the subscriber identity, whereinsecond authentication request from the mobile core network is a NASauthentication request message, wherein the third authentication requestof the first authentication procedure includes an EAP-AKA′ challengerequest, and wherein the authentication response of the firstauthentication procedure includes an EAP-AKA′ challenge response.

In certain embodiments, using an authentication response of the firstauthentication procedure to complete connection to the mobile corenetwork includes the interworking entity generating a NAS authenticationresponse using the EAP-AKA′ challenge response message and sending theNAS authentication response to a control plane function of the mobilecore network. In certain embodiments, the second method further includesthe interworking entity receiving an accept message from the mobile corenetwork in response to sending the NAS authentication response to acontrol plane function of the mobile core network.

In certain embodiments of the second method, transforming the secondauthentication request into a third authentication request of the firstauthentication procedure includes creating the EAP-AKA′ challengerequest using the information contained in the NAS authenticationrequest.

Embodiments may be practiced in other specific forms. The describedembodiments are to be considered in all respects only as illustrativeand not restrictive. The scope of the invention is, therefore, indicatedby the appended claims rather than by the foregoing description. Allchanges which come within the meaning and range of equivalency of theclaims are to be embraced within their scope.

The invention claimed is:
 1. An apparatus comprising: a first networkinterface that communicates towards a remote unit over a non-ThirdGeneration Partnership Project (“non-3GPP”) access network; a secondnetwork interface that communicates with a mobile core network; aprocessor that: receives a first authentication request from an accesspoint in the non-3GPP access network, the first authentication requestbeing part of a first authentication procedure and containing asubscriber identity of the remote unit; creates a request on behalf ofthe remote unit, wherein the created request is not present in the firstauthentication request and wherein the created request includes thesubscriber identity; sends the created request to the mobile corenetwork to initiate connection of the remote unit to the mobile corenetwork; receives a second authentication request from the mobile corenetwork, wherein the second authentication request is part of aNon-Access Stratum (“NAS”) authentication procedure different than thefirst authentication procedure; transforms the second authenticationrequest into a third authentication request of the first authenticationprocedure; and uses an authentication response of the firstauthentication procedure to complete connection of the remote unit tothe mobile core network.
 2. The apparatus of claim 1, wherein the firstauthentication request comprises slice selection information, whereinthe processor sends the created request to a particular network slice inthe mobile core network based on the slice selection information, themobile core network comprising at least two network slices.
 3. Theapparatus of claim 1, wherein the first authentication request containsa decorated identity, the decorated identity comprising the subscriberidentity and slice selection information.
 4. The apparatus of claim 1,wherein the access point is a wireless local area network (“WLAN”)access point, wherein the non-3GPP access network is a trusted WLANcontaining at least the WLAN access point and the apparatus.
 5. Theapparatus of claim 1, wherein the processor further creates a master keyin response to completing connection to the mobile core network, whereinthe master key is used to secure the communication between the remoteunit and the access point.
 6. The apparatus of claim 1, wherein thefirst authentication procedure is an Improved Extensible AuthenticationProtocol for 3rd Generation Authentication and Key Agreement(“EAP-AKA′”) procedure.
 7. The apparatus of claim 1, wherein the firstauthentication request of the first authentication procedure is anEAP-Response identity message including the subscriber identity, whereinthe second authentication request from the mobile core network is a NASauthentication request message, wherein the third authentication requestof the first authentication procedure comprises an EAP-AKA′ challengerequest, and wherein the authentication response of the firstauthentication procedure comprises an EAP-AKA′ challenge response. 8.The apparatus of claim 7, wherein using an authentication response ofthe first authentication procedure to complete connection to the mobilecore network comprises the processor generating a NAS authenticationresponse using the EAP-AKA′ challenge response message and sending theNAS authentication response to a control plane function of the mobilecore network.
 9. The apparatus of claim 7, wherein the processor furtherreceives an accept message from the mobile core network in response tosending the NAS authentication response to a control plane function ofthe mobile core network.
 10. The apparatus of claim 7, wherein theprocessor transforms the second authentication request into a thirdauthentication request of the first authentication procedure comprisescreating the EAP-AKA′ challenge request using information contained inthe NAS authentication request.
 11. A method comprising: receiving, atan interworking entity, a first authentication request from an accesspoint in a non-3GPP access network, the first authentication requestbeing part of a first authentication procedure and containing asubscriber identity of a remote unit; creating, by the interworkingentity, a request on behalf of the remote unit, wherein the createdrequest is not present in the first authentication request and whereinthe created request includes the subscriber identity; sending, by theinterworking entity, the created request to a mobile core network toinitiate connection of the remote unit to the mobile core network;receiving, at an interworking entity, a second authentication requestfrom the mobile core network, wherein the second authentication requestis part of a Non-Access Stratum (“NAS”) authentication proceduredifferent than the first authentication procedure; transforming, by theinterworking entity, the second authentication request into a thirdauthentication request of the first authentication procedure; and using,by the interworking entity, an authentication response of the firstauthentication procedure to complete connection to the mobile corenetwork.
 12. The method of claim 11, wherein the first authenticationrequest comprises slice selection information, wherein sending thecreated request to the mobile core network on behalf of the remote unitcomprises the interworking entity sending the request to a particularnetwork slice in the mobile core network based on the slice selectioninformation, the mobile core network comprising at least two networkslices.
 13. The method of claim 11, wherein the first authenticationrequest contains a decorated identity, the decorated identity comprisingthe subscriber identity and slice selection information.
 14. The methodof claim 11, wherein the access point is a wireless local area network(“WLAN”) access point, wherein the non-3GPP access network is a trustedWLAN containing at least the WLAN access point and the interworkingentity.
 15. The method of claim 11, further comprising the interworkingentity creating a master key in response to completing connection to themobile core network, wherein the master key is used to securecommunication between the remote unit and the access point.
 16. Themethod of claim 11, wherein the first authentication procedure is anImproved Extensible Authentication Protocol for 3rd GenerationAuthentication and Key Agreement (“EAP-AKA′”) procedure.
 17. The methodof claim 11, wherein the first authentication request of the firstauthentication procedure is an EAP-Response identity challenge messageincluding the subscriber identity, wherein second authentication requestfrom the mobile core network is a NAS authentication request message,wherein the third authentication request of the first authenticationprocedure comprises an EAP-AKA′ challenge request, and wherein theauthentication response of the first authentication procedure comprisesan EAP-AKA′ challenge response.
 18. The method of claim 17, whereinusing an authentication response of the first authentication procedureto complete connection to the mobile core network comprises theinterworking entity generating a NAS authentication response using theEAP-AKA′ challenge response message and sending the NAS authenticationresponse to a control plane function of the mobile core network.
 19. Themethod of claim 17, further comprising the interworking entity receivingan accept message from the mobile core network in response to sendingthe NAS authentication response to a control plane function of themobile core network.
 20. The method of claim 17, wherein transformingthe second authentication request into a third authentication request ofthe first authentication procedure comprises creating the EAP-AKA′challenge request using information contained in the NAS authenticationrequest.